New "safe" preview deployment workflows #406

reakaleek · 2025-02-03T22:32:11Z

Context

The current preview deployment workflow required pull_request_target to be able to deploy PRs from forks.

Using pull_request_target in conjunction with checking out the fork is considered a security risk.

This introduces a workflow setup that requires three workflows.

A workflow that builds the docs using the pull_request event and uploads it as artifacts
A workflow that downloads the artifacts and deploys the docs to the preview environment using the workflow_run event
A workflow that destroys the destroys the preview environment using the pull_request_target event (but without a checkout step)

This way untrusted code will never be checked out.

bmorelli25

🚀

reakaleek force-pushed the feature/new-preview-deploy branch from ee9141a to 5d7b82d Compare February 3, 2025 22:57

reakaleek added the feature label Feb 3, 2025

reakaleek force-pushed the feature/new-preview-deploy branch from 5d7b82d to e15bd30 Compare February 3, 2025 23:03

reakaleek marked this pull request as ready for review February 3, 2025 23:03

reakaleek requested a review from a team February 3, 2025 23:04

reakaleek self-assigned this Feb 3, 2025

reakaleek changed the title ~~New preview deployment workflows~~ New "safe" preview deployment workflows Feb 3, 2025

Add safe preview deployment workflows

95ea5bc

reakaleek force-pushed the feature/new-preview-deploy branch from b4cf08b to 95ea5bc Compare February 3, 2025 23:12

reakaleek mentioned this pull request Feb 3, 2025

Add fork-friendly PR preview deployment workflows elastic/docs-content#293

Merged

bmorelli25 approved these changes Feb 3, 2025

View reviewed changes

reakaleek enabled auto-merge (squash) February 3, 2025 23:21

reakaleek disabled auto-merge February 3, 2025 23:22

reakaleek merged commit 9322e16 into main Feb 3, 2025
5 checks passed

reakaleek deleted the feature/new-preview-deploy branch February 3, 2025 23:22